Last updated: May 2026
Flow-Logic is a web-based educational tool for creating, editing, saving, loading, and simulating flowcharts. This Privacy Policy explains how Flow-Logic processes personal data when schools, MATs, staff, learners, purchasers, and support contacts use the public website, licence checkout, IP-locked play area, admin/support features, and optional Google Drive integration.
This notice is written to support UK school and MAT data protection reviews, including DPIA and procurement checks. It is not a substitute for a school's own DPIA, but it gives the supplier information needed to assess the nature, scope, context, purposes, lawful bases, retention, recipients, risks, and mitigations for Flow-Logic.
Flow-Logic is published by Flow-Logic Educational Tools. For data protection, licence, or school procurement questions, contact info@flow-logic.co.uk or use the online contact form. A postal address and signed school Data Processing Agreement can be provided to schools, MATs, and public-sector procurement teams on request.
Flow-Logic has not appointed a statutory Data Protection Officer. Data protection enquiries should be sent to the contact details above.
Flow-Logic acts as an independent controller for personal data it uses to run its own website and business: licence purchases, payment records, invoices, support messages, access administration, security logs, and service-level usage records.
Where a school or MAT uses Flow-Logic with learners and any learner personal data is processed solely to provide the school-selected educational service, Flow-Logic will act as a processor for the school to that extent. The school remains the controller for its learners' education records, classroom use, user instructions, and any decision to use Google Drive or other third-party storage with learners.
If Flow-Logic processes personal data for its own legal, security, billing, or operational purposes, it remains an independent controller for that processing. Flow-Logic does not process learner personal data for advertising, profiling, resale, or unrelated product research.
Depending on how Flow-Logic is used, we may process:
Flow-Logic does not ask for special category data, criminal-offence data, medical data, free-text pupil profiles, or safeguarding information. Users should not include such information in support messages or project files.
Flow-Logic can be used by learners under a school licence, but it is designed so learners do not need individual Flow-Logic accounts. The standard play area uses the school's authorised public IP address and shared school access credentials rather than pupil usernames.
Under UK GDPR, we rely on the following lawful bases:
Flow-Logic uses cookies and similar browser storage only for access, security, draft restore, and limited usage measurement. These technologies are first-party unless a user chooses to use Google Drive or Stripe checkout.
flowlogic_usage_id: a first-party, random, HttpOnly visitor identifier used to reduce duplicate counting in licensed-page usage reports. It does not contain a name, email address, school name, or project content. It may last up to 12 months if enabled.flowlogic_model_draft_[model] cookie marker: a first-party marker showing that a local browser draft exists for a specific model. It may last up to 30 days unless cleared earlier.flowlogic_model_draft_[model] local storage: local browser storage containing the user's draft flowchart for that model. It stays on the device/browser until the user clears the draft, the browser storage is cleared, or the device/browser policy removes it.Blocking or clearing cookies/storage may stop draft restore, require a fresh login, or make unique-visitor counts less accurate, but the core educational flowchart tool does not rely on advertising cookies.
Flow-Logic optionally integrates with Google services so a user can save and load Flow-Logic project files
(typically .flow files) in their own Google Drive. This feature is optional and user initiated.
When Drive Save or Drive Load is used, Flow-Logic uses:
Flow-Logic currently requests these Google permissions:
https://www.googleapis.com/auth/drive.file - create, open, and update files created by or selected for use with Flow-Logic.https://www.googleapis.com/auth/drive.metadata.readonly - read file/folder metadata needed for Drive Picker and Drive file selection. This does not give Flow-Logic permission to read the full contents of every Drive file.Flow-Logic does not store Google access tokens on its server. Project files are sent between the browser and Google APIs when the user chooses to save or load. Flow-Logic servers do not keep copies of Google Drive project files.
Payments are processed by Stripe. Flow-Logic does not store full card numbers, CVC values, or full bank-card credentials on its own servers. Stripe collects billing information needed to process payment, receipts, invoices, tax, fraud prevention, and compliance.
Stripe sends the buyer's payment receipt/invoice to the checkout email address. Where Stripe Tax applies, VAT values are shown on Stripe billing documents. Flow-Logic receives payment confirmation and reference data so it can process licence setup and support the purchase.
During checkout, a school provides a model access password and a separate teacher admin panel password for automated setup. The model access password is a shared site access credential, not an individual pupil password. It must be unique to Flow-Logic and must not be reused from email, MIS, Google, Microsoft, network, or any other sensitive account.
Flow-Logic stores model access passwords as secure hashes for login checks, and stores the current model access value where needed so authorised teachers can see and manage the shared site password in the Teacher Admin Panel. Purchase notifications may include the submitted setup values, so schools should treat them as managed site credentials and ask for a reset if it has been shared too widely.
The Teacher Admin Panel lets authorised staff view and change the model access password, update the registered school IP address within the yearly limit, create one-hour teacher home access passwords, and view task solution passwords. Flow-Logic keeps audit records for these actions so licence administrators can monitor unusual activity.
Flow-Logic uses a small number of service providers to operate the service:
These providers may process data in the UK, EEA, United States, or other jurisdictions. Where personal data is transferred internationally, Flow-Logic relies on the transfer safeguards made available by the relevant provider, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or equivalent contractual and organisational safeguards.
Provider privacy information: Stripe Privacy Policy, Google Privacy Policy.
Flow-Logic uses proportionate technical and organisational measures, including:
We keep personal data only for as long as needed for the relevant purpose:
Where a school or MAT requires Flow-Logic to act as a processor for school-controlled learner personal data, Flow-Logic can provide a short written Data Processing Agreement. The standard commitments are:
Depending on the lawful basis and context, individuals may have rights to access, rectification, erasure, restriction, objection, data portability, withdrawal of consent where consent is used, and not to be subject to solely automated decisions with legal or similarly significant effects.
Purchasers, staff contacts, and support users can exercise rights by contacting info@flow-logic.co.uk or using the contact form. Learners and parents/carers should usually contact their school first, because the school controls classroom use and can verify the request. Flow-Logic will support the school where it acts as processor.
Please contact Flow-Logic first so we can try to resolve the issue. You also have the right to complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/.
Flow-Logic does not make automated decisions about learners, does not profile learners, does not serve behavioural advertising, does not sell personal data, and does not use learner work or project files to train AI models. Flow-Logic may send transactional service emails about purchases, licence setup, support, invoices, or security.
This Privacy Policy may be updated occasionally to reflect changes to the application, providers, or legal requirements. The "Last updated" date will be revised when material changes are made.
If you have questions about this Privacy Policy, school DPIA information, or a Data Processing Agreement, contact info@flow-logic.co.uk or use the online contact form.